From f69cec5ba8804544a89f7c1e24b82b8de467a249 Mon Sep 17 00:00:00 2001
From: NullBite <me@nullbite.com>
Date: Sun, 14 Jul 2024 15:07:47 -0400
Subject: [PATCH] authelia: wip

---
 hosts/rpi4/authelia.nix | 57 +++++++++++++++++++++++++++++++++++------
 1 file changed, 49 insertions(+), 8 deletions(-)

diff --git a/hosts/rpi4/authelia.nix b/hosts/rpi4/authelia.nix
index 3ecf792..4f6aea8 100644
--- a/hosts/rpi4/authelia.nix
+++ b/hosts/rpi4/authelia.nix
@@ -106,6 +106,48 @@ let
     proxy_set_header X-Forwarded-URI $request_uri;
   '';
 
+  genAuthConfig =
+    method:
+    let
+      snippet_regular = ''
+        ## Configure the redirection when the authz failure occurs. Lines starting
+        ## with 'Modern Method' and 'Legacy Method' should be commented /
+        ## uncommented as pairs. The modern method uses the session cookies
+        ## configuration's authelia_url value to determine the redirection URL here.
+        ## It's much simpler and compatible with the mutli-cookie domain easily.
+
+        ## Modern Method: Set the $redirection_url to the Location header of the
+        ## response to the Authz endpoint.
+        auth_request_set $redirection_url $upstream_http_location;
+
+        ## Modern Method: When there is a 401 response code from the authz endpoint
+        ## redirect to the $redirection_url.
+        error_page 401 =302 $redirection_url;
+      '';
+    in
+    ''
+      ## Send a subrequest to Authelia to verify if the user is authenticated and
+      # has permission to access the resource.
+
+      auth_request /internal/authelia/authz${optionalString method == "basic" "/basic"};
+
+      ## Save the upstream metadata response headers from Authelia to variables.
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+
+      ## Inject the metadata response headers from the variables into the request
+      ## made to the backend.
+      proxy_set_header Remote-User $user;
+      proxy_set_header Remote-Groups $groups;
+      proxy_set_header Remote-Name $name;
+      proxy_set_header Remote-Email $email;
+
+      ${optionalString method == "regular" snippet_regular}
+    '';
+  genAuthConfigPkg =
+    method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
 in
 {
   # authelia
@@ -221,14 +263,13 @@ in
             example = "basic";
           };
           config =
-            lib.mkIf (!(isNull vhostConfig.authelia.upstream))
-            && (!(lib.strings.hasPrefix "/internal/authelia/" name)) lib.mkMerge [
-              (
-                lib.mkIf config.authelia.method == "regular" {
-
-                }
-              )
-            ];
+            lib.mkIf (!(lib.strings.hasPrefix "/internal/authelia/" name))
+            && (!(isNull vhostConfig.authelia.upstream))
+            && (!(isNull config.authelia.method)) {
+              extraConfig = ''
+                include ${genAuthConfigPkg config.authelia.method};
+              '';
+            };
         };
 
     in